Corrupted Ukrainian accountancy software ‘MEDoc’ is suspected to be the medium of a cyberattack on companies ranging from British ad agency WPP to Tasmanian Cadbury’s factory, with many European and American firms reporting disruption to services. Banks in Ukraine, Russian oil giant Rosneft, shipping giant Maersk, a Rotterdam port operator, Dutch global parcel service TNT and US law firm DLA Piper were among those suffering inabilities to process orders or else general computer shutdowns.

Heralded as “a recent dangerous trend” by Microsoft, this attack comes just 6 weeks after the WannaCry attack primarily affecting NHS hospitals. Both attacks appear to make use of a Windows vulnerability called ‘Eternal Blue,’ thought to have been discovered by the NSA and leaked online – although the NSA has not confirmed this. The NSA’s possible use of this vulnerability, which has served to create a model for cyber-attacks for political and criminal hackers, has been described by security experts as “a nightmare scenario.”

A BBC report suggests that given 80% of all instances of this malware were in Ukraine, and that the provided email address for the ‘ransom’ closed down quickly, the attack could be politically motivated at Ukraine or those who do business in Ukraine. Recent announcements suggest it could be related to data not money.

The malware appears to have been channelled through the automatic update system, according to security experts including the malware expert credited with ending the WannaCry attack, Marcus Hutchins. The MEDoc software would have originally begun this process legitimately, but at some point the update system released the malware into numerous companies’ computer systems.

In a blog published at the end of last week, the tech firm Google have confirmed that they will stop scanning Gmail users’ emails for the sake of accruing data to be used in personalised adverts, by the end of the year. This will put the consumer version of Gmail in line with the business edition.

Google had advertised their Gmail service by offering 1GB of ‘free’ webmail storage. However, it transpired that Google was paying for this offer by running these scans.

This recent change in tactic has been met with ‘qualified’ welcome by privacy campaigners. Executive director Dr Gus Hosein of Privacy International, the British charity who have been campaigning for regulators to intervene since they discovered the scans, stated:

When they first came up with the dangerous idea of monetising the content of our communications, Privacy International warned Google against setting the precedent of breaking the confidentiality of messages for the sake of additional income. […] Of course they can now take this decision after they have consolidated their position in the marketplace as the aggregator of nearly all the data on internet usage, aside from the other giant, Facebook.

Google faced a fairly substantial backlash on account of these scans when they were discovered, notably from Microsoft, with their series of critical ‘Gmail man’ adverts, depicting a man searching through people’s messages.

However, digital rights watchdog Big Brother Watch celebrated Google’s move, describing it as “absolutely a step in the right direction, let’s hope it encourages others to follow suit.”

UK Conservative Party under investigation for breaching data protection and election law

A Channel 4 News undercover investigation has provoked ‘serious allegations’ of data protection and election offences against the Conservative Party.

The investigation uncovered the party’s use of a market research firm based in Neath, South Wales, to make thousands of cold calls to voters in marginal seats ahead of the election this month. Call centre staff followed a ‘market research’ script, but under scrutiny this script appears to canvass for specific local Conservative candidates – in a severe breach of election law.

Despite the information commissioner Elizabeth Denham’s written warnings to all major parties before the election began, reminding them of data protection law and the illegality of such telecommunications, the Conservatives operated a fake market research company. This constitutes a breach separate to election law, and mandates the Information Commissioner’s Office to investigate.

The ICO’s statement on 23rd June reads,

The investigation has uncovered what appear to be underhand and potentially unlawful practices at the centre, in calls made on behalf of the Conservative Party. These allegations include:

Misleading calls claiming to be from an ‘independent market research company’ which does not apparently exist

MyHome Installations Ltd fined £50,000 for nuisance calls

Facing somewhat less public scrutiny and condemnation than the Conservative Party, Maidstone domestic security firm MyHome Installations has been issued a £50,000 fine by the ICO for making nuisance calls.

The people who received these calls had explicitly opted out of telephone marketing by registering their numbers with the Telephone Preference Service (TPS), the “UK’s official opt-out of telephone marketing.”

The ICO received 169 complaints from members of the public who’d received unwanted calls about electrical surveys and home security from MyHome Installations Ltd.

Back in the 80s, there was this thing called “junk mail”. And it was so called because it involved blanket mailing a mass market with little or no targeting. In other words, the message was irrelevant to a huge proportion of the recipients, so just got thrown in the bin.

Then we discovered targeting, analysis, insight and profiling. And the direct mail messages become more appropriate, relevant, cost effective, and considerably less irritating to the consumer. A classic case of less was more.

I remember the day that “personalised laser text” became available, and we were able to send out mailings with personally addressed letters which referenced the prospect’s other interests. Letters that said (something along the lines of)

Dear Mrs Bloggs,

Because of your interest in the world’s wild places, we wanted to introduce you to our our brand new books which demonstrate the extraordinary and dramatic nature of our own planet earth … from volcanoes to earthquakes ….

The letter, including that simple piece of “personal” text, was enclosed into a small envelope with a miniscule brochure and mailed out. It achieved over three times the response of the standard pre-printed control direct mail letter which was mailed in large envelope with enormous, heavy, expensive brochure

But now the European Union is proposing to take us back to the Dark Ages and the days of blanket mailings. Their new proposed legislation is currently in progress, and will impact every level of prospect marketing.

It’s quite clear that the increasing use of new technology makes revisions to current data law essential, particularly given consumer concern over privacy which has not helped by our own government’s appallingly cavalier behaviour and carelessness with our personal data. (Some of the breaches committed by government departments would have, if committed by the data industry, have caused severe punitive measures. Somehow when it’s the government which gets it wrong, the whole thing just quietly gets swept under the carpet. Rant over…)

However, in addition to technological and social media impact, the traditional media channels will suffer significant difficulties.

A brief summary of the key areas is listed below:

Explicit consent to be granted by the recipient prior to any direct marketing – either by word or by action. In practice this means that where consent is required, organisations must ask for permission to process data. Without such explicit permission, marketing prospects will not be allowed to receive mailings or cold telemarketing calls. Current legislation allows such mailings and / or calls to be made unless the prospect has actively opted out.

The customer has the “right to be forgotten” – ie they can insist that their details are emoved from a database in their entirety. This is entirely impractical. Once deleted, when or if that customer appears again on the database (if, for example, rented from a third party list, or in the event that the customer makes another purchase), the customer’s request for deletion will have vanished. So in practice, the “right to be forgotten” should trigger the inclusion of that customer into a ”suppression” or “do not mail” file so that there is no inappropriate future contact.

Profiling or segmentation may not take place without consent. This will have serious impact on those data businesses which hold shared transactional data from multiple companies, or geo-demographic data, or indeed simply work with marketing profiling models.

List broking is likely to require significant changes to comply with new legislation.

The definition of personal data has been extended to include, potentially, IP addresses and some cookies. Quite apart from the fact that an IP address or cookie may be used by a number of individuals, this will make it much more difficult for businesses to analyse and profile web activity. The impact on digital marketing will be significant and, arguably (given that there will be no ability to provide relevant, targeted marketing) counter-productive.

Cost: DMA (UK) Ltd research shows that complying with the proposed regulation could cost companies an average of £76,000 each. It estimates a total loss to UK industry of up to £47 billion in lost sales. These costs come, in part, from:

Companies with 250 or more employees will need to appoint a data protection officer

Under current legislation, subject access requests can be charged at £10 each. Under the proposed new legislation, this charge is to be eliminated. This is likely to result in increased numbers of requests. In addition to the lost revenue from existing volumes of which is likely to increase the number of requests, frivolous and serious.

Every organisation that suffers a data security breach would have to notify Information commissioner within 24 hours

Right to compensation from the controller or the processor in the event of processing activity causing damage to a person

Increased fines / sanctions to be imposed

On the face of it, the picture looks pretty bleak. But there’s no need to despair just yet – there is time to provide our views on required adjustment, amendment and refinement before these proposals are ratified and become law in the UK.

But for that to happen, businesses need to act now. There is a fantastically detailed amount of excellent information to be found at the DMA (UK) Ltd. So have a look and check to see how the current proposals are likely to affect your business and your marketing.

Then we need to write to our MEPs – and the DMA has made this easy by providing this link which has all the vital information, including who your MEPs are. We need to ask them to fight for the fair interests of business.

We’re all for sharing knowledge and information and enjoy a healthy debate, so if you have any questions, views, tips or knowledge, please just “reply” below.Victoria Tuffill – victoria@tuffillverner.co.uk 01787 277742 or 07967 148398. Feel free to visit our website. And yes, we’re on Linked In, and Twitter